Systems and methods for preventing denial of service attacks utilizing a proxy server

ABSTRACT

Aspects of the present disclosure involve systems, methods, computer program products, and the like, for utilizing an access log of a proxy server device of a content delivery network (CDN) to detect and mitigate a denial of service (DOS) on a web or content server hosted by the CDN. Through an analysis of the content requests received at the proxy server listed in the access logs, one or more IP addresses may be identified as involved in a potential DOS attack or other suspicious behavior. Once identified, the suspicious activities of the one or more IP addresses may be tracked and aggregated over a particular period of time, with each detected suspicious request to the content server being counted. The count of suspicious requests to the content server may then be compared to one or more threshold values and a remediation action may occur when the thresholds are met or exceeded.

TECHNICAL FIELD

Aspects of the present disclosure generally relate to computer networks,and more particularly to utilizing a proxy server device of a contentdelivery network to detect and prevent denial of service attacks on acustomer server of the network.

BACKGROUND

The Internet and the World Wide Web (the “Web”) are ubiquitous andeasily accessible using numerous possible devices. Content providers(publishers) now use the Internet (and, particularly, the Web) toprovide all kinds of content to numerous users throughout the world. Inorder to offload the job of serving some or all of its content, manycontent providers now operate or subscribe to content delivery networks(CDNs). Using a CDN, content can be served to clients from the CDN(i.e., from one or more content servers in the CDN) instead of from thecontent provider's server(s). In a caching CDN, content may also becached on some or all of the CDN servers, either before being served orin response to specific requests for that content. Having content cachedenhances the performance of the CDN because the content does not have tobe retrieved from origin servers or other locations, which are lessefficient than edge servers in providing content.

Numerous forms of content may be served from the CDN. For example,television shows and movies may now be accessed from any number of Websites, and the shows and movies may be served from the CDN. Printnewspapers have migrated to the Web and provide portals through whichclients operating some form of computing device (e.g., PC, smart phone,or tablet), with a browser may access numerous forms of content, such asshort video clips, articles, images, and audio tracks. Software updatesand patches, once provided on disc and mailed to recipients, are nowroutinely distributed to devices from a CDN through one or more networkconnections and devices.

In some instances, CDNs may suffer an attack by an actor to gain accessto the network or to disrupt the operation of the network. A denial ofservice (DOS) attack is an attempt to make content servers or otherresources of a company unavailable to legitimate users. In general, suchattacks include flooding a content server with phony requests forinformation from the content server at such a frequency to impede otherlegitimate traffic or requests from being fulfilled by the contentserver. A distributed denial of service (DDOS) attack is similar exceptthat the requests for the content are received from more than one, oftenthousands, of unique Internet Protocol (IP) addresses. As should beappreciated, such attacks may negatively impact the ability of the CDNto provide content to legitimate customers.

It is with these and other issues in mind that various aspects of thepresent disclosure were developed.

SUMMARY

One implementation of the present disclosure may take the form of amethod for managing a content delivery network (CDN). The method mayinclude the operations of obtaining an access log of a proxy server incommunication with an associated content server of the CDN, the accesslog comprising uniform resource locator (URL) requests for contentintended for the associated content server and scanning the access logto detect a plurality of entries in the access log indicating the proxyserver receiving a first URL request of a group of related URL requestsfrom a particular Internet Protocol (IP) address associated with arequesting device, the receiving of the first URL request of the groupof related URL requests from the particular IP address occurring withina first timeframe. Further, the method may include comparing theplurality of entries in the access log indicating the proxy serverreceiving the first URL request of the group of related URL requestsfrom the particular IP address associated with a requesting device to afirst threshold value and storing the particular IP address in a listingof potential sources of denial of service (DOS) attacks on theassociated content server when the plurality of entries in the accesslog indicating the proxy server receiving the first URL request of thegroup of related URL requests from the particular IP address associatedwith a requesting device is greater than the first threshold value

Another implementation of the present disclosure may take the form of acontent delivery network (CDN). The CDN may include a content serverthrough which content is available to a plurality of requesting devicesand a proxy server in communication between the content server and theplurality of requesting devices. The proxy server is configured toobtain an access log comprising uniform resource locator (URL) requestsfor content intended for the associated content server and detect aplurality of entries in the access log indicating the proxy serverreceiving a first URL request of a group of related URL requests from aparticular Internet Protocol (IP) address associated with a requestingdevice of the plurality of requesting devices within a first timeframe.The proxy server is further configured to compare the plurality ofentries in the access log indicating the proxy server receiving thefirst URL request of the group of related URL requests from theparticular IP address associated with a requesting device to a firstthreshold value and store the particular IP address in a listing ofpotential sources of denial of service (DOS) attacks on the associatedcontent server when the plurality of entries in the access logindicating the proxy server receiving the first URL request of the groupof related URL requests from the particular IP address associated with arequesting device is greater than the first threshold value.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an example network environment for distributing content to anend user from a network, such as a content delivery network (CDN).

FIG. 2 is an example network environment for utilizing a proxy serverwith a web content server of a customer of a CDN.

FIG. 3 is a flowchart of a method for detecting a potential denial ofservice attack on a web content server of a CDN.

FIG. 4 is a flowchart of a method for preventing a potential denial ofservice attack on a web content server of a CDN.

FIG. 5 is a diagram illustrating an example of a computing system whichmay be used in implementing embodiments of the present disclosure.

DETAILED DESCRIPTION

Aspects of the present disclosure involve systems, methods, computerprogram products, and the like, for utilizing an access log of a proxyserver device of a content delivery network (CDN) to detect and mitigatea denial of service (DOS) or distributed denial of service (DDOS) attack(collectively referred to as a DOS attack) on a web or content serverhosted by the CDN. In general, the access logs of the proxy serverprovide a listing of the requests made to the content server fromparticular Internet Protocol (IP) addresses. Through an analysis of thecontent requests received at the proxy server, one or more IP addressesmay be identified as involved in a potential DOS attack or othersuspicious behavior. Once identified, the suspicious activities of theone or more IP addresses may be tracked and aggregated over a particularperiod of time, with each detected suspicious request to the contentserver being counted. The count of suspicious requests to the contentserver may then be compared, in some embodiments, to one or morethreshold values and a remediation action may occur when the thresholdsare met or exceeded, such as providing a report or notification of theactivity to an administrator of the content server and/or blockingfuture access to the content server from the identified IP addresses.

In one particular embodiment of the present disclosure, a proxy serveris configured to maintain an access log of Uniform Resource Locator(URL) requests to a content server. These access logs may include asource IP address from which the request is received, a day/time stampof receipt of the request, and the type of URL request, among otherinformation. Typically, a URL request for content from the contentserver instructs the computing device associated with the IP address toprovide additional URL requests for additional information from thecontent server. Through an analysis of the access logs, the proxy server(or other networking device) may identify those instances where a URLrequest for content is not followed by additional URL requests to thecontent server from the same IP address. These single URL requests areoften associated with a DOS attack of some type on the content server.When detected, the proxy server may label such activity from the IPaddress as suspicious and track the number and type of suspiciousoccurrences from one or more IP addresses requesting content from thecontent server. A certain number of tracked occurrences over aparticular period of time may trigger one or more actions taken by theCDN to address the potential DOS attack on the content server.

The process of identification of suspicious IP addresses and associatedaction taken in response to the detected activity from the IP address atthe content server may be configurable in many ways to tailor the systemand methods to the desires of a content server administrator. Forexample, certain URL requests may be known as including a single URLrequest with no additional requests from the IP address. The proxyserver may be configured to allow these types of requests to the contentserver without logging them as suspicious. In addition, certain types ofURL requests may be known to historically be associated with DOSattacks, such as multiple login requests from a single IP address. Thethreshold values associated with these types of URL requests may belower than other types of requests within the proxy server such thatpreventative actions may occur faster, making the response of the proxyserver more sensitive to these known requests. Similarly, the types ofpreventative actions associated with one or more IP addresses may beadjusted, such as decreasing the threshold value upon which an action istaken and/or increasing the length of a block applied to the IP address.Further still, the proxy server may be configured to identify DDOS-typeattacks that may occur from several IP addresses and take such action asto prevent access from the several IP address associated with the DDOSattack. Through these systems and methods, the proxy server may morequickly identify and respond to potential DOS attacks than over previouspreventative schemes.

As discussed above, aspects of the present disclosure involve systems,methods, computer program products, and the like, for managing thedistribution of content and/or communications from a computer network toan end user of the network. In general, the system receives a requestfor content from the network from a user of the network and determines aserver or content providing component within the network to provide thecontent to the user. For example, FIG. 1 is a network environment 100for distributing content to one or more users. Although illustrated inFIG. 1 as a content delivery network, it should be appreciated thataspects of the present disclosure may apply to any type oftelecommunications network that utilizes IP addresses for connecting anend user to one or more components of the network. For example, aspectsof the disclosure may be utilized to connect a user of the network to anendpoint in the network, a conferencing server, a virtual privatenetwork device, and the like. Thus, although the CDN architecture isused throughout the document as the example network architecture throughwhich aspects of the present disclosure may be applied; other networkarchitectures and configurations are similarly contemplated.

In one implementation of the network environment 100, a CDN 102 iscommunicably coupled to one or more access networks 106. In general, theCDN 102 comprises one or more components configured to provide contentto a user upon a request and an underlying IP network through which therequest is received and the content is provided. The underlying IPnetwork associated with the CDN servers may be of the form of any typeIP-based communication network configured to transmit and receivecommunications through the network and may include any number and typesof telecommunications components. In this manner, CDN-based componentsmay be added to an existing IP-based communication network such that thecomponents receive a request for content, retrieve the content from astorage device, and provide the content to the requesting device throughthe supporting IP network. For simplicity, the use of the term “CDN”throughout this disclosure refers to the combination of the one or morecontent servers and the underlying IP network for processing andtransmitting communications, unless otherwise noted.

In one embodiment, a user device 104 connects to the CDN 102 through oneor more access networks 106 to request and receive content or contentfiles from the CDN. The access network 106 may be under the control ofor operated/maintained by one or more entities, such as, for example,one or more Internet Service Providers (ISPs) that provide access to theCDN 102. Thus, for example, the access network 106 may provide Internetaccess to a user device 104. In addition, the access network 106 mayinclude several connections to the IP network of the CDN 102. Forexample, access network 106 includes access point 120 and access point122. Also, the user device 104 may be connected to any number of accessnetworks 106 such that access to the CDN 102 may occur through anotheraccess network. In general, access to a CDN 102 (or underlying IPnetwork associated with the CDN) may occur through any number of ingressports to the CDN through any number of access networks. In yet anotherembodiment, the user device 104 may be a component of access network106.

The CDN 102 is capable of providing content to a user device 104, whichis generally any form of computing device, such as a personal computer,mobile device, tablet (e.g., iPad), or the like. Content may include,without limitation, videos, multimedia, images, audio files, text,documents, software, and other electronic resources. The user device 104is configured to request, receive, process, and present content. In oneimplementation, the user device 104 includes an Internet browserapplication with which a link (e.g., a hyperlink) to a content item maybe selected or otherwise entered, causing a request to be sent to adirectory server 110 in the CDN 102.

The directory server 110 responds to the request by providing a networkaddress (e.g., an IP address) where the content associated with theselected link can be obtained. In one implementation, the directoryserver 110 provides a domain name system (DNS) service, which resolvesan alphanumeric domain name to an IP address. The directory server 110resolves the link name (e.g., URL or other identifier) to an associatednetwork address from which the user device 104 can retrieve the content.The operation of the directory server 110 and access network 106 toresolve requests for content from the user device 104 is discussed inmore detail below with reference to FIG. 2.

In one implementation, the CDN 102 includes an edge server 112, whichmay cache content from another server to make it available in a moregeographically or logically proximate location to the user device 104.The edge server 112 may reduce network loads, optimize utilization ofavailable capacity, lower delivery costs, and/or reduce content downloadtime. The edge server 112 is configured to provide requested content toa requestor, which may be the user device 104 possibly via anintermediate device, for example, in the access network 106. In oneimplementation, the edge server 112 provides the requested content thatis locally stored in cache. In another implementation, the edge server112 retrieves the requested content from another source, such as a mediaaccess server (MAS) (e.g., a content distribution server 114 or acontent origin server 116 of a content provider network 118). Thecontent is then served to the user device 104 in response to therequests.

In one implementation, a user of the user computing device 104 enters alink name (e.g., URL or other identifier) into a browser executed on thecomputing device. The link name is associated with a network addresswithin the CDN 102 at which the content may be obtained and provided tothe computing device. For example, the user or the user device may entera URL such as www.example.com/content into the browser of the computingdevice 104. Upon entering the URL, the hostname may be extracted by thebrowser (www.example.com) in this particular case) and sends a request(possibly via an operating system running within the computing device202) to a domain name server (DNS) associated with the user's accessnetwork 106. The DNS associated with the user's access network is knownas the ISP resolver. In one example, the DNS request transmitted to theISP resolver from the computing device 104 includes the hostname of therequested content, as well as an IP address associated with thecomputing device.

While the ISP resolver is often implemented to cache responses, the ISPresolver often does not have a cached IP address for the requestedcontent within the CDN 102. In such cases, the ISP resolver transmits asecond DNS request to a DNS server (such as directory server 110) of theCDN 102 to determine an IP address in the CDN 102 at which the contentfile may be obtained. Thus, in one embodiment, the DNS server 110 of theCDN 102 may be referred to as an Authority Server. Similar to the DNSrequest above, the DNS request to Authority Resolver 110 may include thehostname of the requested content, as well as an IP address associatedwith the computing device and/or an IP address associated with the ISPresolver of the access network 106.

In many instances, a proxy server is associated with one or more contentservers of the CDN. For example, FIG. 2 is an example networkenvironment 200 for utilizing a proxy server 204 with a web contentserver 202 of a customer of a CDN. In general, the proxy server 204 actsas a gateway to the content server 202 for the clients 206-210 of theCDN. As such, requests from the clients 206-210 for content maintainedby the content server 202 are received and processed by the proxy server204 before being provided to the content server. The proxy server 204may be configured to process each request and potentially deny access tothe content server 202 to one or more client devices 206-210 based onany number of processing rules. For example, if the request from IPaddress 206 is identified as a DOS attack, the proxy server 204 may denyaccess (or block) the client device at the IP address from accessing thecontent server 202. Typically, the client devices 206-210 are unaware ofthe presence of the proxy server 204 in the network. Further, in someembodiments a proxy server 204 may provide the proxy server functionsfor several such content servers 202. In other words, requests toseveral content servers may be first processed by a proxy server, suchas proxy server 204.

In the present disclosure, the proxy server 204 may execute methods ortechniques to identify potential DOS attacks from one or more of theclient devices 206-210. When such attacks are identified, the proxyserver 204 may further take actions to prevent access to the contentserver 202 from the identified client IP addresses for some time. FIG. 3illustrates one such method 300 for detecting a potential denial ofservice attack on a web content server of a CDN. In general, theoperations of the method 300 of FIG. 3 may be performed by a proxyserver of a CDN. In other embodiments, the operations are performed byone or more telecommunication devices (such as an application server) incommunication with the proxy server to control the gateway function ofthe proxy server. Such operations may be performed through one or moreprocessor-executed software instructions, one or more hardwarecomponents arranged to perform the described functions, or a combinationof both software and hardware components.

Beginning in operation 302, the proxy server obtains an access log thatincludes the URL requests intended for the content server from one ormore client devices. For example, a client device (identified with an IPaddress) may transmit a URL request to the content server to obtain awebpage. The URL request from the client device may be received at theproxy server 204 and stored in the access log. Upon storing, the proxyserver 204 may transmit the received URL request to the content server202 for processing by the content server. In some instances explained inmore detail below, the proxy server 204 may act as a firewall-typedevice for the content server 202 and deny some requests for contentfrom the content server. In general, the URL request may include the URLrequest type, the IP address of the requesting device, the URLdestination address, the date/time stamp the URL request is received,and similar information. Each URL request to the content server 202 islogged accordingly in the access log of the content server or proxyserver 204.

As mentioned above, many URL requests are typically followed by similarURL requests from the same client device. For example, the URL requestmay be for a webpage. The content server, upon receiving the request,provides an HTML document to the client device. When the returned HTMLdocument is processed by a browser program on the client device, the webpage is displayed within the browser on the client's display. In manyinstances, the HTML document instructs the client device to obtain orrequest additional information from the content server in order to fullydisplay the web page. Thus, the client device may again transmit anotherURL request to the content server to obtain the additional content forthe web page. In general, each URL request includes some indication ofthe content being requested. Often, several URL requests for contentfrom the content server 202 are received at the proxy server 204 inorder for the client device to fully display the web page. Each of theURL requests to provide the web page to the client device at theassociated IP address are then included in the access log of the proxyserver.

In operation 304, the proxy server 204 breaks up the access log into Xnumber of seconds (or any other type of timeframe) and processes theinformation in the access log for each interval. In one example, theproxy server may obtain and process the access log every second,although any length of time may be utilized by the proxy server 204 whenprocessing new additions to the access log. During processing inoperation 306, the proxy server 204 scans the log for an indication of asingle URL request received from an IP address that is not followedwithin the designated time window by additional URL requests from thesame IP address. As mentioned above, typical requests for contentinclude several related URL requests received soon after the initialrequest for the content. However, DOS attacks may not include theseveral related URL requests that follow the initial request. Rather, aDOS attack may be characterized by receiving a single URL request fromthe requesting device 206-210 without the additional related URLrequests within the X time window. In one embodiment, the proxy server204 may scan the access log for more than one such URL request from thesame IP address (or same requesting device 206-210). In other words, asingle URL request from an IP address not followed by the related URLrequests may not be noted as suspicious, but two or more such URLrequests from the same or related requesting devices 206-210 notfollowed by the related URL requests may be noted as suspicious by theproxy server 204.

In operation 308, entries in the access log that meet the above criteriaare indicated as suspicious by the proxy server 204 in a listing ofrecent suspicious activity at the content server 202. In particular, theproxy server 204 may maintain a listing of all IP addresses that aremarked as suspicious in the above processing of the access log. Thislisting may include, in one instance, the IP address and a count of thenumber of noted suspicious URL requests to the content server. In oneembodiment, the listing of suspicious activity from an IP address may bemaintained in the list for a finite time period, such as time period Y.For example, the listing may include a count for each suspicious IPaddress over the previous 1,000 seconds, although any length of time formaintaining a listing of suspicious IP addresses may be utilized by theproxy server 204. Through the operations above, the proxy server 204thus processes an access log to a content server 202 to determine if anyURL request is received that is not followed by expected additional URLrequests from the same or related IP address. When found, the proxyserver 204 stores an indication of the suspicious IP address andmaintains a count of each instance for that IP address over a period oftime.

With the list and count of suspicious activity from IP addresses obtainthrough the method 300 of FIG. 3, the proxy server 204 may also take oneor more actions based on the information stored in the list. Forexample, FIG. 4 is a flowchart of a method 400 for preventing apotential denial of service attack on a web content server 202 of a CDN.Similar to the method described above, the operations of the method 400of FIG. 4 may be performed by the proxy server 204 or any othertelecommunications devices through a combination of hardware andsoftware components.

Beginning in operation 402, the proxy server 204 receives the suspiciousactivity for the content server 202 through the process discussed above.Such activity may be for one or more content servers 202 of thetelecommunications network. In operation 404, the proxy server 204aggregates the detected suspicious activity for a particular IP addressover a time period Y. As explained above, the proxy server 204 maymaintain a listing of suspicious IP addresses and a count of the numberof noted suspicious URL requests to the content server 202 from each ofthe suspicious IP addresses in the listing. Further, the instances ofsuspicious activity from any IP address may be maintained in the listfor a finite time period Y, such as 1,000 seconds. Through this listing,a snapshot for a period of time of the detected suspicious URL requestsfrom any such IP address accessing the content server 202 is determinedby the proxy server 204.

One or more activities or responses may be executed by the proxy server204 based on the information maintained by the proxy server. Forexample, in operation 406 the proxy server 204 processes the list ofsuspicious activity and determines if the count of received suspiciousURL requests exceeds a first threshold value. For example, the proxyserver 204 may determine if the number of suspicious requests receivedat the proxy server from a particular IP address within the Y timeperiod exceeds or equals a threshold value of five. If not, the proxyserver 204 returns to operation 402 to monitor additional potentialsuspicious URL requests. However, if the suspicious activity countexceeds or equals the first threshold value, the proxy server 204 maytransmit or otherwise provide a report or alert to a systemadministrator indicating the IP address associated with the suspiciousactivity in operation 408. In one embodiment, the reporting of thesuspicious IP address includes generating and transmitting an electronicmail to the system administrator. In another embodiment, the reportingincludes logging the IP address into a list of suspicious IP addressesthat is accessible by the system administrator.

Further, in operation 410, the proxy server 204 may process the list ofsuspicious activity to determine if the count of received suspicious URLrequests exceeds or equals a second threshold value. Generally, thesecond threshold value is higher than the first threshold value. In oneembodiment, the second threshold value is 10 such that a count of 10 ormore suspicious requests from an IP address within the Y time periodtriggers a second response. If the count for the IP address has notexceeded or equals the second threshold value, the proxy server 204returns to operation 402 to monitor additional potential suspicious URLrequests. However, if the suspicious activity count exceeds or equalsthe second threshold value, the proxy server 204 may execute a blockingfeature in operation 412 that prevents the suspected IP address fromaccess to the content server 202 for a period of time. For example, theproxy server 204 may add the suspicious IP address to an IP table ofblocked addresses that prevents access to the content server 202. Thesuspicious IP address may be included in the IP table for a set periodof time and removed when the period of time expires. When a request isreceived at the proxy server 204 intended for the content server 202from the blocked IP address, the proxy server may deny the request forthe content. As explained below, the period of time the suspicious IPaddress is blocked may vary based on several factors. Through the method400 of FIG. 4, the proxy server 204 may undertake one or more actions toprevent a potential DOS attack from one or more suspicious IP addresses.

In some embodiments of the proxy server 204, several of theabove-described operations are configurable to further refine thedetection of suspicious activity from one or more IP addresses andactions taken to prevent a potential DOS attack. For example, some URLrequests to a content server 202 may not follow the typical form of afirst URL request from the IP address, followed by additional URLrequests from the same IP address for additional content. Rather, somecontent servers 202 may operate similar to application program interface(API) server that typically receive single URL requests withoutadditional related URL requests. More particularly, these single URLrequests may be of a certain type of URL request such that the proxyserver 204 may be configured to monitor for those types of URL requestsand to not indicate such requests as suspicious. In one embodiment, theproxy server 204 may utilize a regular expression search pattern thatmatches or otherwise indicates a typically single URL request. When amatch is received from an IP address, the proxy server 204 may not notethe URL request as suspicious such that a count of suspicious activityfrom the IP address is not incremented when the single URL request isreceived.

In a similar embodiment, the response action taken by the proxy server204 to prevent a DOS attack may vary based on a type of URL requestdetected in the access log. For example, some URL requests may requestmore information or content from the content server 202 than otherrequests. Such requests are particularly useful in a DOS attack and thereceipt of multiple requests of these types from the same IP addresswithin the Y time period is a high indicator of a DOS attack. As such,the threshold values for reporting and/or blocking the IP address at theproxy server 204 may be increased for the particular types of URLrequests. For example, multiple URL requests for a particular .pdf typefile from the IP address indicates a high likelihood of a DOS attack.Thus, for .pdf URL requests, the threshold values may be decreased toensure the proxy server 204 responds quicker to the DOS request.Utilizing the above example, the threshold value for .pdf URL requestsmay be lowered to two (down from five) to trigger a reporting action andfour (down from ten) to trigger a blocking action. An increase insensitivity of the system may be applied for other types of URLrequests, such as requests for error messages, URL post requests, URLoptions requests, and the like.

In a similar manner, the parameters of a preventative action taken bythe proxy server 204 may be adjusted in response to conditions of thedetected suspicious activities. For example, if the proxy server 204determines that a particular IP address is a consistent source ofsuspicious activity, the threshold value to trigger a report/blockingactivity for that particular IP address may be lowered. In oneparticular embodiment, a database of known sources of DOS attacks listedby IP address may be accessed by the proxy server 204 to compare withsuspicious IP addresses. Further, the length of a blocking period forthat particular IP address may be increased as more and more suspiciousactivities are detected from the particular IP address. In general, anyof the parameters of the actions undertaken by the proxy server inresponse to a detected suspicious activity from an IP address may beconfigurable.

In still another embodiment, the proxy server 204 may be configured tomonitor for a DDOS attack from multiple IP addresses. In particular, theproxy server 204 may analyze the types and patterns of suspiciousreceived URL requests. If several IP addresses provide the same typesand patterns of URL requests, such IP addresses may be a part of a DDOSattack. In some embodiments, each detected instance of attack from themultiple IP addresses may be aggregated into a single count in the listof suspicious activity. In other words, rather than storing a count ofsuspicious activity for each individual IP address, the proxy server 204may treat each of the multiple IP addresses of the potential DDOS attackas one when aggregating the count for that attack. In this embodiment,each of the multiple IP addresses may be reported and/or blocked basedon the combined suspicious count for all of the suspicious IP addresses.In this manner, the proxy server 204 may more quickly detect and respondto a potential DDOS attack from the multiple IP addresses.

FIG. 5 is a block diagram illustrating an example of a computing deviceor computer system 500 which may be used in implementing the embodimentsof the network disclosed above. In particular, the computing device ofFIG. 5 is one embodiment of the proxy server or other networkingcomponent that performs one of more of the operations described above.The computer system (system) includes one or more processors 502-506.Processors 502-506 may include one or more internal levels of cache (notshown) and a bus controller or bus interface unit to direct interactionwith the processor bus 512. Processor bus 512, also known as the hostbus or the front side bus, may be used to couple the processors 502-506with the system interface 514. System interface 514 may be connected tothe processor bus 512 to interface other components of the system 500with the processor bus 512. For example, system interface 514 mayinclude a memory controller 515 for interfacing a main memory 516 withthe processor bus 512. The main memory 516 typically includes one ormore memory cards and a control circuit (not shown). System interface514 may also include an input/output (I/O) interface 520 to interfaceone or more I/O bridges or I/O devices with the processor bus 512. Oneor more I/O controllers and/or I/O devices may be connected with the I/Obus 526, such as I/O controller 528 and I/O device 550, as illustrated.

I/O device 550 may also include an input device (not shown), such as analphanumeric input device, including alphanumeric and other keys forcommunicating information and/or command selections to the processors502-506. Another type of user input device includes cursor control, suchas a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to the processors 502-506and for controlling cursor movement on the display device.

System 500 may include a dynamic storage device, referred to as mainmemory 516, or a random access memory (RAM) or other computer-readabledevices coupled to the processor bus 512 for storing information andinstructions to be executed by the processors 502-506. Main memory 516also may be used for storing temporary variables or other intermediateinformation during execution of instructions by the processors 502-506.System 500 may include a read only memory (ROM) and/or other staticstorage device coupled to the processor bus 512 for storing staticinformation and instructions for the processors 502-506. The system setforth in FIG. 5 is but one possible example of a computer system thatmay employ or be configured in accordance with aspects of the presentdisclosure.

According to one embodiment, the above techniques may be performed bycomputer system 500 in response to processor 504 executing one or moresequences of one or more instructions contained in main memory 516.These instructions may be read into main memory 516 from anothermachine-readable medium, such as a storage device. Execution of thesequences of instructions contained in main memory 516 may causeprocessors 502-506 to perform the process steps described herein. Inalternative embodiments, circuitry may be used in place of or incombination with the software instructions. Thus, embodiments of thepresent disclosure may include both hardware and software components.

A machine readable medium includes any mechanism for storing ortransmitting information in a form (e.g., software, processingapplication) readable by a machine (e.g., a computer). Such media maytake the form of, but is not limited to, non-volatile media and volatilemedia. Non-volatile media includes optical or magnetic disks. Volatilemedia includes dynamic memory, such as main memory 516. Common forms ofmachine-readable medium may include, but is not limited to, magneticstorage medium (e.g., floppy diskette); optical storage medium (e.g.,CD-ROM); magneto-optical storage medium; read only memory (ROM); randomaccess memory (RAM); erasable programmable memory (e.g., EPROM andEEPROM); flash memory; or other types of medium suitable for storingelectronic instructions.

Embodiments of the present disclosure include various steps, which aredescribed in this specification. The steps may be performed by hardwarecomponents or may be embodied in machine-executable instructions, whichmay be used to cause a general-purpose or special-purpose processorprogrammed with the instructions to perform the steps. Alternatively,the steps may be performed by a combination of hardware, software and/orfirmware.

Various modifications and additions can be made to the exemplaryembodiments discussed without departing from the scope of the presentinvention. For example, while the embodiments described above refer toparticular features, the scope of this invention also includesembodiments having different combinations of features and embodimentsthat do not include all of the described features. Accordingly, thescope of the present invention is intended to embrace all suchalternatives, modifications, and variations together with allequivalents thereof.

We claim:
 1. A method for managing a content delivery network (CDN), themethod comprising: obtaining an access log of a proxy server incommunication with an associated content server of the CDN, the accesslog comprising uniform resource locator (URL) requests for contentintended for the associated content server; scanning the access log todetect a plurality of entries in the access log indicating the proxyserver receiving a first URL request of a group of related URL requestsfrom a particular Internet Protocol (IP) address associated with arequesting device, the receiving of the first URL request of the groupof related URL requests from the particular IP address occurring withina first timeframe; comparing the plurality of entries in the access logindicating the proxy server receiving the first URL request of the groupof related URL requests from the particular IP address associated with arequesting device to a first threshold value; and storing the particularIP address in a listing of potential sources of denial of service (DOS)attacks on the associated content server when the plurality of entriesin the access log indicating the proxy server receiving the first URLrequest of the group of related URL requests from the particular IPaddress associated with a requesting device is greater than the firstthreshold value.
 2. The method of claim 1 further comprising: executinga remedial instruction in response to the storing of the particular IPaddress in the listing of potential sources of DOS attacks.
 3. Themethod of claim 2 wherein the remedial instruction comprisestransmitting a report to an administrator device associated with anadministrator of the proxy server, the report comprising a listing ofparticular IP address associated with a requesting device.
 4. The methodof claim 2 further comprising: comparing the plurality of entries in theaccess log indicating the proxy server receiving the first URL requestof the group of related URL requests from the particular IP addressassociated with a requesting device to a second threshold value, thesecond threshold value greater than the first threshold value.
 5. Themethod of claim 4 wherein the remedial instruction comprises utilizingthe proxy server to block access to the content of the associatedcontent server by the particular IP address for a remedial period oftime when the plurality of entries in the access log indicating theproxy server receiving the first URL request of the group of related URLrequests from the particular IP address associated with a requestingdevice is greater than the second threshold value.
 6. The method ofclaim 5 further comprising: comparing the particular IP address to adatabase of known IP addresses of previously received DOS attacks todetermine if the IP address is included in the database of known IPaddresses.
 7. The method of claim 6 further comprising: analyzing thefirst URL request of the group of related URL requests from theparticular IP address associated with a requesting device to determine apattern of DOS attack requests from the IP address; and storing thepattern of DOS attack requests from the IP address in the database ofknown IP addresses of previously received DOS attacks.
 8. The method ofclaim 1 further comprising: aggregating the plurality of entries in theaccess log indicating proxy server receiving the first URL request of agroup of related URL requests from the particular IP address occurringwithin a second timeframe.
 9. A content delivery network (CDN)comprising: a content server through which content is available to aplurality of requesting devices; and a proxy server in communicationbetween the content server and the plurality of requesting devices, theproxy server configured to: obtain an access log comprising uniformresource locator (URL) requests for content intended for the associatedcontent server; detect a plurality of entries in the access logindicating the proxy server receiving a first URL request of a group ofrelated URL requests from a particular Internet Protocol (IP) addressassociated with a requesting device of the plurality of requestingdevices within a first timeframe; compare the plurality of entries inthe access log indicating the proxy server receiving the first URLrequest of the group of related URL requests from the particular IPaddress associated with a requesting device to a first threshold value;and store the particular IP address in a listing of potential sources ofdenial of service (DOS) attacks on the associated content server whenthe plurality of entries in the access log indicating the proxy serverreceiving the first URL request of the group of related URL requestsfrom the particular IP address associated with a requesting device isgreater than the first threshold value.
 10. The content delivery networkof claim 9 wherein the proxy server further executes a remedialinstruction in response to the storing of the particular IP address inthe listing of potential sources of DOS attacks.
 11. The contentdelivery network of claim 10 wherein the remedial instruction comprisestransmitting a report to an administrator device associated with anadministrator of the proxy server, the report comprising a listing ofparticular IP address associated with a requesting device.
 12. Thecontent delivery network of claim 10 wherein the proxy server furthercompares the plurality of entries in the access log indicating the proxyserver receiving the first URL request of the group of related URLrequests from the particular IP address associated with a requestingdevice to a second threshold value, the second threshold value greaterthan the first threshold value.
 13. The content delivery network ofclaim 12 wherein the remedial instruction comprises blocking access tothe content of the associated content server by the particular IPaddress for a remedial period of time when the plurality of entries inthe access log indicating the proxy server receiving the first URLrequest of the group of related URL requests from the particular IPaddress associated with a requesting device is greater than the secondthreshold value.
 14. The content delivery network of claim 13 whereinthe proxy server further compares the particular IP address to adatabase of known IP addresses of previously received DOS attacks todetermine if the IP address is included in the database of known IPaddresses.
 15. The content delivery network of claim 14 wherein theproxy server analyzes the first URL request of the group of related URLrequests from the particular IP address associated with a requestingdevice to determine a pattern of DOS attack requests from the IP addressand stores the pattern of DOS attack requests from the IP address in thedatabase of known IP addresses of previously received DOS attacks. 16.The content delivery network of claim 9 wherein the particular URLrequest for content received at the proxy server comprises a URL requesttype indicating a type of content requested from the associated contentserver.
 17. The content delivery network of claim 16 wherein the proxyserver further adjusts the first threshold value based at least on theURL request type included in the URL request for content received at theassociated content server.
 18. The content delivery network of claim 9wherein the proxy server further aggregates the plurality of entries inthe access log indicating the associated content server receiving thefirst URL request of a group of related URL requests from the particularIP address occurring within a second timeframe.